|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Let's encrypt and httpd OpenBSD 7.1
So I run a little private website and decided it was time to move to https via Let's Encrypt. The instructions went fine but are a bit misleading. They make it sound like running the acme client and getting the keys magically makes your server use https. No you still have to update httpd.conf yourself, ok fair enough. But it's giving me nothing but problems.
Browsers refuse to connect but Code:
curl -vi https://www.mysite.net:808 Code:
* Connected to www.mysite.net (x.x.x.x) port 808 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.2 (IN), TLS header, Supplemental data (23): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Supplemental data (23): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=www.mysite.net * start date: Jul 31 22:56:32 2022 GMT * expire date: Oct 29 22:56:31 2022 GMT * subjectAltName: host "www.mysite.net" matched cert's "www.mysite.net" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/1.1 Code:
#[ MACROS ] ext_ip = "x.x.x.x" # ext_ip = "*" # open to the outside network # ext_ip = "egress" # open to only the primary IP address of the network interface # [ GLOBAL CONFIGURATION ] # none # [ SERVERS ] server "www.mysite.net" { listen on $ext_ip tls port 808 directory auto index root "/htdocs/www.mysite.net" tls { certificate "/etc/letsencrypt/live/www.mysite.net/fullchain.pem" key "/etc/letsencrypt/live/www.mysite.net/privkey.pem" } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } server "mysite.net" { listen on $ext_ip port 80 block return 301 "http://www.mysite.net$REQUEST_URI" } # [ TYPES ] types { include "/usr/share/misc/mime.types" } Starting up httpd debug verbose mode shows Code:
startup socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 socket_rlimit: max open files 1024 server_tls_load_keypair: using certificate /etc/letsencrypt/live/www.mysite.net/fullchain.pem server_tls_load_keypair: using private key /etc/letsencrypt/live/www.mysite.net/privkey.pem server_privinit: adding server www.mysite.net config_setserver_tls: configuring tls for www.mysite.net server_privinit: adding server mysite.net server_launch: configuring server www.mysite.net server_tls_init: setting up tls for www.mysite.net server_launch: configuring server www.mysite.net server_launch: configuring server www.mysite.net server_tls_init: setting up tls for www.mysite.net server_tls_init: setting up tls for www.mysite.net server_tls_init: adding keypair for server www.mysite.net server_tls_init: adding keypair for server www.mysite.net server_launch: running server www.mysite.net server_launch: configuring server mysite.net server_launch: running server mysite.net server_launch: running server www.mysite.net server_launch: configuring server mysite.net server_launch: running server mysite.net server_tls_init: adding keypair for server www.mysite.net server_launch: running server www.mysite.net server_launch: configuring server mysite.net server_launch: running server mysite.net server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version server www.mysite.net, client 1 (1 active), 192.168.1.32:53681 -> x.x.x.x:808, tls handshake failed server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version server www.mysite.net, client 1 (1 active), 192.168.1.32:53682 -> x.x.x.x:808, tls handshake failed server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version server www.mysite.net, client 1 (1 active), 192.168.1.32:53683 -> x.x.x.x:808, tls handshake failed server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version server www.mysite.net, client 2 (1 active), 192.168.1.32:53684 -> x.x.x.x:808, tls handshake failed server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version server www.mysite.net, client 2 (1 active), 192.168.1.32:53685 -> x.x.x.x:808, tls handshake failed server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version server www.mysite.net, client 3 (1 active), 192.168.1.32:53686 -> x.x.x.x:808, tls handshake failed server_tls_handshake: tls handshake failed - handshake failed: error:1402542E:SSL routines:ACCEPT_SR_CLNT_HELLO:tlsv1 alert protocol version |
|
|||
Looks like a TLSv1 issue. I have a ciphers line, just below my key and certificate lines. Try adding this in the tls section:
ciphers "TLSv1.2:!CAMELLIA:!ARIA:!DSS:!ADH:!PSK:!RSA:!ECDH E-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256" |
|
|||
It looks like things are mostly working now. The block return 301 line is supposed to redirect http to https, correct? Something is up with that section. I ended up fixing my html code to reflect the new https prefix.
|
|
|||
Quote:
I think your block return line needs to be this: block return 301 "https://www.mysite.net:808$REQUEST_URI" |
|
|||
Yes, that block line is to redirect to https.
I use the $SERVER_NAME macro to make it easier: Code:
block return 301 "https://$SERVER_NAME$REQUEST_URI" Code:
block return 301 "https://$SERVER_NAME:808$REQUEST_URI"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Automating the "vi /etc/httpd.conf", httpd -n, rcctl restart httpd" treadmill | J65nko | Guides | 0 | 18th May 2021 12:58 AM |
FCGI.pm on OpenBSD httpd | pmaddams | OpenBSD General | 4 | 26th April 2017 12:53 AM |
How to configure nagios-web on OpenBSD 5.8 httpd? | kleefaj | OpenBSD Packages and Ports | 0 | 11th April 2016 04:58 PM |
Patch for OpenBSD 5.6 httpd(8) | J65nko | OpenBSD General | 12 | 7th January 2015 12:49 PM |
httpd in OpenBSD 5.6 | jorisvh | OpenBSD Packages and Ports | 8 | 4th November 2014 12:14 AM |